Scammers’ Delight

Attacks on companies’ email systems are common, and losses are staggering. How can a business fight back against third-party fraud—and what are the risks of choosing to go to battle?

Hands typing on blue, light u keyboard

Santosh Aravind

October 5, 2020 08:00 AM

Cybercriminals seldom rest, always looking for vulnerabilities to exploit—and now they’re increasingly targeting private commercial transactions in what’s known as a business email compromise attack (BEC). In such a breach, a cybercriminal infiltrates a company’s email system and poses as an owner of an important company email account. Pretending to be a specific executive, the thief then emails another business with which the first has an ongoing relationship, sending wire instructions for money legitimately owed to a bank account set up and controlled by the perpetrators of the scheme.

The email recipient, believing the message to be authentic, wires payment to the criminal’s account. By the time the two businesses figure out they’ve been had, it’s too late, and the money the second one sent to the first is long gone.

What happens in the wake of something like this? Can a victimized company recover the stolen funds? Can it possibly hope to recover from the criminal himself? If the perpetrator can’t be found, can the defrauded company recover the money from the one whose systems were hacked?

Hacking Businesses Is Good Business

According to the FBI’s Internet Crime Complaint Center (known as “IC3”), BEC cyberattacks on American companies have caused more than $8.2 billion in losses since 2013, with an additional $1.7 billion in adjusted losses in 2019 alone—the highest estimated out-of-pocket losses from any class of cybercrime over that period. IC3 also estimates global losses have exceeded $26 billion over the past three years. Given that many such crimes go unreported, the true figure is likely much higher.

BEC attacks increasingly occur on private business transactions because criminals, quite simply, see vulnerability. Companies engage in regular exchanges in which the buyer purchases a set amount of goods from a seller, and over time executives establish relationships with their counterparts. The nature of this friendly back-and-forth generally builds a degree of trust, which cybercriminals eagerly prey on.

In a typical scenario, a BEC attack originates with the criminal targeting an executive at a given company. Let’s say Company A supplies auto parts to Company B on a set schedule, for which the latter wires payment. Knowing this, the criminal will infiltrate Company A’s email system, often through a “phishing” scheme—sending a phony email or web link. Once clicked on, the targeted account has been compromised. The criminal can then monitor the account’s messages and activity, becoming familiar with how the executive at Company A uses email and how exactly the transactions with Company B occur. Upon spotting a good opportunity, the criminal sends out a spoofed or otherwise compromised message requesting the wire transfer.

In this scenario, Company A is harmed because it has made the usual delivery to Company B but hasn’t been paid. Company B is harmed, too, though, because it has issued payment intended for Company A but now in the criminal’s coffers. Usually, Company A will demand legitimate payment from Company B, or demand that it send the merchandise back. Where to go from here?

Recovering Cyberattack Assets From the Criminal

In the aftermath of a BEC attack, it is possible for victimized companies to recover lost assets. The FBI’s IC3 reported that in 2019, its Recovery Asset Team was able to claw back roughly 79 percent of potential losses for claims that were referred to the Recovery Asset Team, totaling $304.9 million. To have any hope of obtaining recovery from the criminal, though, a victimized company must report the fraud to the FBI or other law enforcement—and there are a number of reasons a business might be reluctant to do so. According to the Department of Justice, as of 2016, just 15 percent of corporate fraud victims nationwide report the crime.

Why are companies so wary? First, a business might view the pursuit of a cybercriminal as a waste of time and resources, especially when the hacker is determined to be operating overseas. Indeed, because so many cybercriminals ply their trade outside the United States, it’s often extremely difficult to hold them to account.

Second, apprehending the perpetrator might not be the company’s highest priority. It will focus instead on shoring up internal controls to ensure that it doesn’t fall victim again, as well as on fulfilling its legal obligations to notify regulators and the affected parties. It might be concerned about negative publicity or harm to its reputation. These worries are probably overblown, but they might lead a business to try to resolve related disputes with its partners informally or in the civil courts.

Recovering Assets from the Business Partner

When a company can’t recover money stolen by a cybercriminal, it might decide to seek recovery from the business partner. When such disputes can’t be resolved informally, they lead to litigation, focusing on which party was more negligent in enabling the scheme: Was it Company A, whose email system was initially hacked, or Company B, who sent the payment to a fraudulent account?

Recent years have seen a handful of court decisions involving BEC-scheme victims who have sued each other. Which company should bear the risk of loss? Courts so far have taken a similar approach to these cases.

The first relevant case was a 2015 dispute, Arrow Truck Sales v. Top Quality Truck & Equipment, Inc., in which one company, Top Quality, negotiated to sell a group of trucks to the other for $570,000. Both the seller and purchaser’s email systems were hacked by third-party fraudsters who sent “updated” wiring instructions to the buyer, Arrow Truck, which believed them to be real; the criminals got away with the full $570,000 purchase price.

The district court noted that there was no applicable case law on the issue of which party bore the loss stemming from third-party fraud that resulted in nonperformance of the contract. It took guidance instead from the Uniform Commercial Code, which provides—under the “imposter rule”—that the party that suffers the loss is the one in the best position to prevent a forgery by exercising reasonable care. After a bench trial, the court determined on those grounds that the purchaser of the trucks should bear the loss. “The [wire] instructions involved completely different information from all of the previous instructions,” the court observed. “Simply put, [Arrow Truck] should have exercised reasonable care after receiving conflicting emails containing conflicting wire instructions by calling [Top Quality] to confirm or verify the correct wire instructions prior to sending the $570,000. As such, Arrow should suffer the loss associated with the fraud.”

In a 2016 case, Bile v. RREMC, a lawyer named Uduak Ubom had his email hacked. Ubom represented Amangoua Bile, a client who had just reached a $63,000 settlement with his former employer on an employment discrimination claim. The third-party fraudster used Ubom’s email to send updated wiring instructions to the law firm representing the employer. When the firm followed those directions, the criminal stole the money. Bile and his former employer, RREMC, then brought competing motions to enforce the settlement agreement. The court held an evidentiary hearing and determined that Ubom had failed to observe ordinary care, which contributed to the theft—and consequently Bile bore the loss. Notably, the court found that Ubom had knowledge of an attempted fraud days before the transfer took place but did not notify opposing counsel. The court thus adopted a rule that “where an attorney has actual knowledge that a malicious third party is targeting one of these cases with fraudulent intent, the attorney must either alert opposing counsel or must bear the losses to which his failure substantially contributed.”

Two years later, in Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc., the latter car dealership agreed to purchase 20 SUVs from the former. As the deal came to a close, a criminal infiltrated Townsend’s email account and sent a message requesting that Hinds pay for the vehicles via wire transfer to an out-of-state bank. Hinds, believing the note was authentic, inadvertently wired the money to the criminal and picked up the SUVs. When Townsend later asked Hinds to return them, Hinds refused, and Townsend sued for breach of contract, among other causes of action.

The district court granted summary judgment for Townsend. Both parties were negligent: Townsend “should have maintained a more secure email system and taken quicker action upon learning that it might have been compromised,” it observed, whereas Hinds “should have ascertained that an actual agent of Beau Townsend was requesting that it send money by wire transfer.” Nonetheless, the court held that Hinds breached the agreement because Townsend had “not received any funds from Don Hinds[.]”

The Sixth Circuit, on appeal, reversed, finding the district court’s approach too simplistic. The Sixth Circuit reasoned that the case should be evaluated in two ways: under both contract law and agency law. Under contract law, the circuit court found that the case turned on the principle of mutual error: “[B]oth parties held the mistaken belief that they had agreed on a method of payment.” Because rescission of the contract—a common remedy for a mutual mistake—was not an option (Hinds couldn’t return the SUVs without being out the $730,000 purchase price), the Sixth Circuit turned to another provision of the Restatement (Second) of Contracts, which provides that the court may allocate the risk of loss to a party when “it is reasonable in the circumstances to do so.” The court then discussed both Arrow Truck and Bile, concluding that the district court, on remand, should determine “whether either Beau Townsend’s or Don Hinds’ failure to exercise ordinary care contributed to the hacker’s success, and would then have to apportion the loss according to their comparative fault.”

The Sixth Circuit also applied agency principles to support its view that the risk of loss could be apportioned between the two parties. Applying the Restatement and Ohio law, the court found that if “Beau Townsend had failed to exercise ordinary care in maintaining its email server, thus allowing the hacker to pose as [an employee], then Beau Townsend could be liable for Don Hinds’ reasonable reliance on the hacker’s emails. In addition, any potential liability would be reduced if Don Hinds also failed to exercise reasonable care.” Finally, the circuit court directed the trial court to “hold a trial to decide whether and to what degree each party is responsible for the $730,000 loss in this case.” To do so, the trial court must decide which party “was in the best position to prevent the fraud.”

In essence, Beau Townsend stands for the proposition that when a third-party criminal steals money from a contractual transaction between two others, a district court must conduct a factual inquiry to determine which party should bear the loss: whichever was more negligent because it was in the best position to prevent the fraud. If both parties are negligent, the loss may be apportioned between them.

Caution: Hazards Ahead

Recovering money from a business email compromise attack is difficult. The only way to recover from the criminal who launched the attack is to get law enforcement involved. A company might be reluctant to do that to begin with, and if the criminal is operating out of the country, recovery is likely impossible.

A business that has been victimized by a BEC attack might decide to proceed against a business partner, claiming it was that party’s negligence that enabled the attack to succeed. Filing such a suit, of course, can come at some cost: The litigation will end up assessing which company could best have prevented the scheme, and whose internal-security practices are better. Companies should proceed cautiously when filing suit unless they’re confident that their security protocols will withstand scrutiny. Otherwise, they might find themselves victimized a second time.

Santosh Aravind, partner at Scott, Douglass & McConnico., is an experienced trial lawyer representing individuals and companies in white-collar criminal investigations, regulatory enforcement proceedings, cyber-security matters, and complex commercial litigation. Santosh has represented clients in proceedings brought by the Securities and Exchange Commission, the United States Department of Justice, the Office of Attorney General in Texas, Massachusetts Attorney General’s Office, and various state agencies in Texas.

Headline Image: ISTOCK / DEPO881, MILAN_JOVIC

Related Articles

Announcing the 2020 Global Business Edition

by Best Lawyers

Featuring Best Lawyers and Law Firm of the Year honorees from around the globe.

	Fall Business Edition "The Global Issue"

Clash Across the Channel

by Clément Fouchard and Peter Rosher

The diametric opposition of decisions reached by French and English courts in a recent arbitration case shows how profound cultural differences between international jurisdictions can lead to maddening legal uncertainty.

French and English flag

Without Delay

by Ashish Mahendru and Darren Braun

Remote testimony? Virtual evidence presentation? Been there, done that: Why even international arbitration proceedings have, for the most part, weathered the pandemic just fine.

People talking in a conference room

Targeted Cyber Attacks Are Rapidly Increasing in 2019

by James L. Pray

Targeted cyber attacks, spear-phishing attacks, and ransomware attacks are increasing and could put your business's security on the line.

Cyber Attacks Are Increasing

Motion Sustained

by Elise Scott, Madalyn Brown, and Bob DeMott

Corporate social responsibility isn’t just good for the planet—increasingly, it’s good for business, too.

How Corporate Sustainability Works

Trending Articles

How Palworld Is Testing the Limits of Nintendo’s Legal Power

by Gregory Sirico

Many are calling the new game Palworld “Pokémon GO with guns,” noting the games striking similarities. Experts speculate how Nintendo could take legal action.

Animated figures with guns stand on top of creatures

Announcing the 2023 The Best Lawyers in America Honorees

by Best Lawyers

Only the top 5.3% of all practicing lawyers in the U.S. were selected by their peers for inclusion in the 29th edition of The Best Lawyers in America®.

Gold strings and dots connecting to form US map

The U.S. Best Lawyers Voting Season Is Open

by Best Lawyers

The voting season for the 31st edition of The Best Lawyers in America® and the 5th edition of Best Lawyers: Ones to Watch® in America is officially underway, and we are offering some helpful advice to this year’s voters.

Golden figures of people standing on blue surface connected by white lines

Announcing the 2022 Best Lawyers® in the United States

by Best Lawyers

The results include an elite field of top lawyers listed in the 28th Edition of The Best Lawyers in America® and in the 2nd Edition of Best Lawyers: Ones to Watch in America for 2022.

2022 Best Lawyers Listings for United States

2021 Best Lawyers: The Global Issue

by Best Lawyers

The 2021 Global Issue features top legal talent from the most recent editions of Best Lawyers and Best Lawyers: Ones to Watch worldwide.

2021 Best Lawyers: The Global Issue

How To Find A Pro Bono Lawyer

by Best Lawyers

Best Lawyers dives into the vital role pro bono lawyers play in ensuring access to justice for all and the transformative impact they have on communities.

Hands joined around a table with phone, paper, pen and glasses

What the Courts Say About Recording in the Classroom

by Christina Henagen Peer and Peter Zawadski

Students and parents are increasingly asking to use audio devices to record what's being said in the classroom. But is it legal? A recent ruling offer gives the answer to a question confusing parents and administrators alike.

Is It Legal for Students to Record Teachers?

Best Lawyers: Ones to Watch in America for 2023

by Best Lawyers

The third edition of Best Lawyers: Ones to Watch in America™ highlights the legal talent of lawyers who have been in practice less than 10 years.

Three arrows made of lines and dots on blue background

The Best Lawyers in Australia™ 2024 Launch

by Best Lawyers

Best Lawyers is excited to announce The Best Lawyers in Australia™ for 2023, including the top lawyers and law firms from Australia.

Australian Parliament beside water at sunset

The Upcycle Conundrum

by Karen Kreider Gaunt

Laudable or litigious? What you need to know about potential copyright and trademark infringement when repurposing products.

Repurposed Products and Copyright Infringemen

Inflation Escalation

by Ashley S. Wagner

Inflation and rising costs are at the forefront of everyone’s mind as we enter 2023. The current volatile market makes it more important than ever to understand the rent escalation clauses in current and future commercial lease agreements.

Suited figure in front of rising market and inflated balloon

Wage and Overtime Laws for Truck Drivers

by Greg Mansell

For truck drivers nationwide, underpayment and overtime violations are just the beginning of a long list of problems. Below we explore the wages you are entitled to but may not be receiving.

Truck Driver Wage and Overtime Laws in the US

A Celebration of Excellence: The Best Lawyers in Canada 2024 Awards

by Best Lawyers

As we embark on the 18th edition of The Best Lawyers in Canada™, we are excited to highlight excellence and top legal talent across the country.

Abstract image of red and white Canada flag in triangles

Announcing The Best Lawyers in South Africa™ 2024

by Best Lawyers

Best Lawyers is excited to announce the landmark 15th edition of The Best Lawyers in South Africa™ for 2024, including the exclusive "Law Firm of the Year" awards.

Sky view of South Africa town and waterways

Best Lawyers Voting Is Now Open

by Best Lawyers

Voting has begun in several countries across the globe, including the United States, the United Kingdom and Europe. Below we offer dates, details and answers to voting-related questions to assist with the voting process.

Hands holding smartphone with five stars above phone

8 Different Types of Criminal Defenses in Law

by Best Lawyers

Learn about the different types of criminal defenses available in law, including innocence, self-defense, insanity and more. Protect your rights today.

Silver handcuffs laying on finger printed papers